A tool that lets you pirate all fonts on any website, instantly.

Matthijs Herzberg
Matthijs Herzberg Posts: 154
edited March 2021 in Type Business
This is sure to inflame, but don't shoot the messenger! My friend just sent me <EDITED BY MODERATORS>, some artsy fartsy avant garde digital publishing. It lets you type in any website, and will download the webfonts for you instantly.<EDITED BY MODERATORS>, explaining the why and how of the tool, as well as explaining font licensing in general and the morality behind it all.
I personally find their justifications pretty half-baked--most foundries offer trial fonts as well as student discounts. And obviously there's a huge difference between pirating photoshop and pirating a font from an independent foundry. To say that the latter is a necessary creative tool for younglings as a justification for this click-and-go pirating app doesn't sound like a well thought-out argument to me.
Anyway, I figured you fine folks would at least like to know about this, and I also welcome your opinions.
Final question...I noticed some foundry websites have their fonts protected from this tool. How do I guard my woff2's from being snatched like this? Is it basic CSS/HTML or is there more to it?
«134

Comments

  • Yves Michel
    Yves Michel Posts: 183
    I tried the tool on the website of a type designer and effectively, I was able to download the .woff fonts and open them in FontCreator, for instance.
    A new typovirus Fontvid 21! And no vaccine available, as far as I know.
    Be careful!
  • Matthijs Herzberg
    Matthijs Herzberg Posts: 154
    edited March 2021
    @Ori Ben-Dor I think I had heard of this method, and you're right. Similarly, it's not all that hard to go to <EDITED BY MODERATORS>. Perhaps it can be said that this tool just exposes the fragility of font licensing... but is that really necessary?
  • There’s always been a legal gray area when it comes to tools that enable piracy. Sometimes those same tools enable a valuable and legal use as well. Well-known court cases have hinged on that argument.

    This site, though, is directly urging its users to “steal” fonts. The tool apparently makes it easier than the well-known browser download feature, which is decidedly user-unfriendly and not at all advertised as a way to steal IP or circumvent licensing.

    What we have here is something that really shouldn’t be allowed in its current form (in my opinion). Whatever the legal reality is, it’s morally wrong.
  • Craig Eliason
    Craig Eliason Posts: 1,440
    And of course the original post that alarms the type design community also winds up steering EULA violators to the tool. Both warning and, unfortunately, advertisement. Should mods/OP remove links and make the identifying info more obscure, or do we hope that "naming names" does more good than harm?
  • @Craig Eliason Obviously not what I intended, but I acknowledge that you may be right. Then again, I don’t know how many would-be thiefs hang around this forum, and whether they wouldn’t just Google “how to steal a font” if that’s their goal. Either way, if the mods deem it wise to remove the links, I have no problem with that.
  • @Craig Eliason On TypeDrawers exposing such things will do far more good than harm. Tracking them down should be user-friendly too.  :-)
  • How do I guard my woff2's from being snatched like this? Is it basic CSS/HTML or is there more to it?

    There is no way to protect web fonts from being stolen because font files are loaded on the user side. 
    You can crop some tables to make font at least Windows-incompatible to install + base64 as most user-unfriendly format for regular person, as an option.
  • John Savard
    John Savard Posts: 1,135
    edited March 2021
    Originally, when I first heard of web fonts, they only existed in protected forms: the font file was encoded, along with the URL of the site that the font is used on, and the browser would decode the file only for its internal use. Later, some alternate web font formats that didn't include protection, which made sense for sites using free non-commercial fonts, were also made available.
    So even though the fonts have URLs, which are visible either in the source of the web page, or of its CSS files, that wouldn't help anyone to pirate the fonts if they're in a protected format.
    The discussion here suggests this situation has somehow changed.
    Of course, I can think of one possible reason for this. The source code for some browsers is publicly available. If it is the entire source code, then it would include the key for decrypting protected web fonts. Firefox is open-source, and so is Chromium, the core of the Chrome web browser. Internet Explorer is no longer available from Microsoft, and Microsoft Edge has recently been modified to use the Chromium engine as its core.
    Thus, even if at one time a hacker would have had to disassemble Internet Explorer to access some protected web fonts (in a format only viewable on Internet Explorer!) that is likely no longer the case.
    A web search shows that the protected font format was EOT: Embedded Open Type. However, W3C rejected it as a standard. I thought that some other browsers also had their own protected web font formats, but I could find no mention of any; the current standard, WOFF, does not appear to include an option for that kind of protection.
    What is needed to adequately protect fonts would be:
    An extension to the WOFF spec providing for the kind of encryption used with EOT.
    As this encryption would require a hidden key, the capability of viewing fonts like this would have to be added to browsers with a closed-source binary executable. Of course open-source purists would object, but I don't see how else effective protection could be provided.
    Currently, instead, commercial font providers are insisting that the host only provide the font when the request appears to come from a browser reading the page it is used on, which of course limits these fonts to web pages hosted with advanced functionality.
  • Alex Visi
    Alex Visi Posts: 185
    edited March 2021
    It’s extremely easy to find and download any font by any reasonably known foundry, so why would anyone even bother with tools like that? And the fact that someone has the font on their computer doesn’t really mean a thing; what matters, is whether they can use the font for any public or commercial project without a chance of getting sued.
  • Comically, I've been the crazy old man shaking his fist at the clouds for a meaningful image based font display solution or to help fund an update to TypeShow which has since been abandoned and the author has no interest in updating it. https://github.com/Raureif/TypeShow
  • George Thomas
    George Thomas Posts: 647
    edited March 2021
    @Stuart Sandler Do you have an estimate of how much the funding would be?
  • Thomas Phinney
    Thomas Phinney Posts: 2,896
    edited March 2021
    @John Savard

    What you are proposing was resoundingly rejected by browser makers a decade ago, for exactly the reasons you mention. It requires proprietary secret elements to make anything resembling real security. And even then, it would doubtless get hacked—just a matter of time.

    Web browser vendors would have to adopt this whole extra security thing, and for what? To enable fonts... but they/we already have fonts on the web! So it is just to help font vendors.

    They wouldn’t collectively all agree to do anything this strong a decade ago, when the prize being dangled in front of them was “real fonts on the web” for the first time. So they sure as heck won’t do it now, when there is ZERO benefit to their end users.
  • JoyceKetterer
    JoyceKetterer Posts: 813
    edited March 2021
    @Thomas Phinney I think the fundamental thing is that it wouldn't actually help font vendors because it's still super easy to get the files off a git or a torent or whatever.  The only thing that can really help font vendors is real digital rights management – which would need to be at the OS level.
  • Thomas Phinney
    Thomas Phinney Posts: 2,896
    @JoyceKetterer

    All that is ALSO true, and those sorts of reasons are certainly among the reasons browser makers do not see it as a reasonable thing for them to tackle.
  • @Oliver Weiss (Walden Font Co.) (I keep banging on Agree but it just goes on and off... :-)
  • John Savard
    John Savard Posts: 1,135
    edited March 2021
    Web browser vendors would have to adopt this whole extra security thing, and for what? To enable fonts... but they/we already have fonts on the web! So it is just to help font vendors.

    They wouldn’t collectively all agree to do anything this strong a decade ago, when the prize being dangled in front of them was “real fonts on the web” for the first time. So they sure as heck won’t do it now, when there is ZERO benefit to their end users.

    So the font vendors have to do it. Browsers have plug-ins, after all. Here's a plug-in for Chrome and a plug-in for Firefox, to let you view web pages that have the real fonts that are any good on them, instead of stuff from Google Fonts.
    Oh, wait. That won't work either. Unless you're visiting MyFonts to purchase (or even view) a font, why would a typical user bother to install such a plug-in?
    PDF documents have a little security, in that fonts can be "converted to outlines", which apparently comes with subsetting, but they've disclosed the keys so that other people can make PDF viewers, so a serious DRM from Adobe is also not to be expected, as far as I can see, but they came to mind as a first alternative.

    @Thomas Phinney I think the fundamental thing is that it wouldn't actually help font vendors because it's still super easy to get the files off a git or a torent or whatever.  The only thing that can really help font vendors is real digital rights management – which would need to be at the OS level.

    I think that's a separate issue.
    What I mean by that is: when people use web fonts, they're using the fonts as intended; they purchased those fonts so that they could use the typefaces they're in on their web pages.
    When an .otf or .ttf font file appears on a pirate site, it's because someone who paid for the font decided to "share" it. I would think that professional design houses are unlikely to engage in such activity, and so while people might well upload fonts that "came with" Corel Draw or Microsoft Word... well, although expensive fonts from Font Font and so on can sometimes be found on pirate sites, I would naïvely and optimistically expect that wouldn't happen with... regularity.
    So I do think that the issue with using .woff for proprietary fonts is a gaping hole that is at least somewhat worse than the lack of comprehensive DRM facilities for fonts in operating systems.

    Also: apparently TrueDoc, used with Netscape, was what I dimly remembered as an alternative protected font format that competed with EOT. This had been developed by Bitstream. There were other technologies for protecting webfonts; Typekit, Fontdeck, and an unnamed service offered by Typotheque.
  • @John Savard I'm not clear on why you think customers think of webfonts and otf fonts as separate things.  They really don't.  Someone who wants a webfont is perfectly fine downloading and otf font.  Some of the even embed to oft (I see it fairly often among violators).  And the people who will pirate a font by seem more likely to want desktop use than web.
  • John Savard
    John Savard Posts: 1,135
    JoyceKetterer said:
    @John Savard I'm not clear on why you think customers think of webfonts and otf fonts as separate things.  They really don't.  Someone who wants a webfont is perfectly fine downloading and otf font.  Some of the even embed to oft (I see it fairly often among violators).  And the people who will pirate a font by seem more likely to want desktop use than web.

    When I said this was a separate issue, it wasn't because I thought that people weren't pirating .woff fonts in order to turn them into .otf fonts. What I meant was that I felt that having fonts turn up on pirate sites, while a serious problem, was a more limited one than having every font ever used as a webfont trivially available for downloading, even if no legitimate purchaser had ever intended to contribute to piracy.
  • @John Savard good god, I'm horrified by all my typos in the previous post.  Sorry!

    I don't agree with your conclusion because the other edge of the blade with webfonts is that it is much easier to find and enforce violations.  I've gotten to the point that 99% of my enforcements start with a found web embedding violation.  The other 1% are the customers telling me themselves without realising it and the occasional app embedding.

    Do you know the term "teaching your garden to weed itself"?  That's what webfonts achieve for font licensing.

  • John, rest assured that “professional design houses” regularly put OTFs on websites as web fonts, in violation of their license. Mostly they are not consciously violating their EULA, but they are just being lazy or ignorant about it. Right now I could direct you to a famous publisher’s site and show you “naked” OTFs they’ve deployed there. My guess is that this often happens when a company has licensed a typeface for its identity, so designers assume that license allows them to do whatever they want with it. It’s a never-ending battle, but as Joyce says, WOFF helps a foundry enforce this because they can require that any font put on the web must always be converted to WOFF.

    Another well-known garden analogy is the “garden fence.” WOFF — after all the initial thrashing around about EOT and DRM was over — ended up as a container for fonts whose purpose is to allow a font to work for a web page but to not be installable on the desktop. It’s a very mild form of security. But if someone downloads a WOFF and pulls the font out in order to install it, they have just “hopped the garden fence.” In other words, they have just taken a deliberate action to circumvent something. If I don’t have a fence around my yard, someone can trespass and say “I didn’t know I was trespassing.” If I have a fence and they jump it, it’s now harder for them to argue they didn’t knowingly trespass. WOFF allows foundries to say, “Your misuse wasn’t inadvertent, it was deliberate.”


  • JoyceKetterer
    JoyceKetterer Posts: 813
    edited March 2021
    @Christopher Slye. You're right, of course, but I was getting at something else.  Regardless of the file format, fonts embedded on the web are easy to find. That plus the fact that web embedding permission is more binary than the basic level of licensing (companies tend to have it to the appropriate level or not have it at all whereas, with basic, under licensing is common and much harder to asses from afar). It's easy to identify and enforce licensees who aren't doing internal compliance.  From there you just send a polite inquiry about all their licensing (including basic) and charge for whatever their gap between use and license is.  It's getting your garden to weed itself because the companies that have a constellation of violations are sending up a smoke signal for you to check up on them – to mix metaphors.

    PS - we don't usually treat .otf embedding by licensees who otherwise have an embedding license as a violation.  It's just not worth the bother.
  • @George Thomas it has more to do with finding a willing and interested developer than figuring out how to fund the project. Thus far personally I've not had any luck but would hop on the effort if such a party was identified.
  • AbiRasheed
    AbiRasheed Posts: 238
    edited March 2021
    I think I know what this "hack" is.  Some of your original post was redacted by the mods for obvious reasons so I won't know exactly what tool your friend used but on reddit some 10 yrs ago it was mentioned using merely a google search. Basically using google and index files you were able to retrieve woff files or even straight up ttf/otf. Before Hoefler & Frere split up or around that time when they were revamping their website I had tested it and it worked. I emailed them and got no response and left it at that. I'm assuming it still works to this day. 
  • If the Google search hack was doing the "helvetica filetype:ttf" search, that doesn't work anymore. The next best thing, "helvetica inurl:ttf", is semi-thankfully taken over by spam sites.

    On Github, this sort of query still works, though.

    @JoyceKetterer Is there a specific strategy you use to find webfonts in the wild?
  • @Roel Nieskens you may want to connect with @Lars Schwarz who has developed a few things you may be interested in at https://namecheck.fontdata.com
  • @Roel Nieskens. I've used various web crawlers over the years including the one from @Lars Schwarz. It's necessary to move around a bit because, like resellers, each one is sorta in a different secure.  Also, some of them fall into disuse, usually because they are a passion project and the developer has to move on to other things.  I think that's the situation with Lars' at the moment?

    Up until very recently my main one was fontsninja but they are pivoting in a way that isn't compatible with my work flow.  We're starting to look into large b to b services that offer pre crawled data of high traffic sites.  This will be the first time I've used a service not catered to the font industry but so far we're getting some pretty encouraging data. 

    I use all these crawlers both for license enforcement and to find uses to feature on fontsinuse.


  • Lars Schwarz
    Lars Schwarz Posts: 114
    edited March 2021
    @JoyceKetterer Basically correct, even though it's still a very specific niche and even if I would offer this to various foundries/designers/distributors again it's still hard to price, because there is no guaranteed outcome/result. 

    It possibly delivers lots of results for "trending fonts", but it may not return any results for other candidates. The costs on my end are the same though. 

    If someone has a "fair" pricing model for this scenario I'm open to it :)